From 3c51cb5ff1d0db41fb3288fb555c7e7055cf3e86 Mon Sep 17 00:00:00 2001
From: Christian Lamparter <chunkeey@gmail.com>
Date: Wed, 1 Dec 2021 14:41:31 +0100
Subject: [PATCH] ca-certificates: fix python3-cryptography woes in
 certdata2pem.py

reverts the code portion of the Debian's ca-certificate
commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.")

It broke builds with the popular Ubuntu 20.04 (focal) releases.
This was due to them shipping with an older python3-cryptography
version which is not compatible.

More concerns were raised by jow- as well:
"We don't want the build to depend on the local system time anyway."

Reported-by: Chen Minqiang <ptpt52@gmail.com>
Reported-by: Shane Synan <digitalcircuit36939@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
---
--- a/mozilla/certdata2pem.py
+++ b/mozilla/certdata2pem.py
@@ -21,16 +21,12 @@
 # USA.
 
 import base64
-import datetime
 import os.path
 import re
 import sys
 import textwrap
 import io
 
-from cryptography import x509
-
-
 objects = []
 
 # Dirty file parser.
@@ -121,13 +117,6 @@ for obj in objects:
     if obj['CKA_CLASS'] == 'CKO_CERTIFICATE':
         if not obj['CKA_LABEL'] in trust or not trust[obj['CKA_LABEL']]:
             continue
-
-        cert = x509.load_der_x509_certificate(bytes(obj['CKA_VALUE']))
-        if cert.not_valid_after < datetime.datetime.utcnow():
-            print('!'*74)
-            print('Trusted but expired certificate found: %s' % obj['CKA_LABEL'])
-            print('!'*74)
-
         bname = obj['CKA_LABEL'][1:-1].replace('/', '_')\
                                       .replace(' ', '_')\
                                       .replace('(', '=')\
